containerd

github/containerd

Fork 0

Commit Graph

Author	SHA1	Message	Date
Maksym Pavlenko	3bc8fc4d30	Cleanup build constraints Signed-off-by: Maksym Pavlenko <pavlenko.maksym@gmail.com>	2022-12-08 09:36:20 -08:00
Sebastiaan van Stijn	b7f673790f	OCI: Mount (accessible) host devices in privileged rootless containers Allow rootless containers with privileged to mount devices that are accessible (ignore permission errors in rootless mode). This patch updates oci.getDevices() to ignore access denied errors on sub- directories and files within the given path if the container is running with userns enabled. Note that these errors are _only_ ignored on paths _under_ the specified path, and not the path itself, so if `HostDevices()` is used, and `/dev` itself is not accessible, or `WithDevices()` is used to specify a device that is not accessible, an error is still produced. Tests were added, which includes a temporary workaround for compatibility with Go 1.16 (we could decide to skip these tests on Go 1.16 instead). To verify the patch in a container: docker run --rm -v $(pwd):/go/src/github.com/containerd/containerd -w /go/src/github.com/containerd/containerd golang:1.17 sh -c 'go test -v -run TestHostDevices ./oci' === RUN TestHostDevicesOSReadDirFailure --- PASS: TestHostDevicesOSReadDirFailure (0.00s) === RUN TestHostDevicesOSReadDirFailureInUserNS --- PASS: TestHostDevicesOSReadDirFailureInUserNS (0.00s) === RUN TestHostDevicesDeviceFromPathFailure --- PASS: TestHostDevicesDeviceFromPathFailure (0.00s) === RUN TestHostDevicesDeviceFromPathFailureInUserNS --- PASS: TestHostDevicesDeviceFromPathFailureInUserNS (0.00s) === RUN TestHostDevicesAllValid --- PASS: TestHostDevicesAllValid (0.00s) PASS ok github.com/containerd/containerd/oci 0.006s Signed-off-by: Sebastiaan van Stijn <github@gone.nl>	2021-12-10 12:16:59 +01:00

Author

SHA1

Message

Date

Maksym Pavlenko

3bc8fc4d30

Cleanup build constraints

Signed-off-by: Maksym Pavlenko <pavlenko.maksym@gmail.com>

2022-12-08 09:36:20 -08:00

Sebastiaan van Stijn

b7f673790f

OCI: Mount (accessible) host devices in privileged rootless containers

Allow rootless containers with privileged to mount devices that are accessible
(ignore permission errors in rootless mode).

This patch updates oci.getDevices() to ignore access denied errors on sub-
directories and files within the given path if the container is running with
userns enabled.

Note that these errors are _only_ ignored on paths _under_ the specified path,
and not the path itself, so if `HostDevices()` is used, and `/dev` itself is
not accessible, or `WithDevices()` is used to specify a device that is not
accessible, an error is still produced.

Tests were added, which includes a temporary workaround for compatibility
with Go 1.16 (we could decide to skip these tests on Go 1.16 instead).

To verify the patch in a container:

    docker run --rm -v $(pwd):/go/src/github.com/containerd/containerd -w /go/src/github.com/containerd/containerd golang:1.17 sh -c 'go test -v -run TestHostDevices ./oci'
    === RUN   TestHostDevicesOSReadDirFailure
    --- PASS: TestHostDevicesOSReadDirFailure (0.00s)
    === RUN   TestHostDevicesOSReadDirFailureInUserNS
    --- PASS: TestHostDevicesOSReadDirFailureInUserNS (0.00s)
    === RUN   TestHostDevicesDeviceFromPathFailure
    --- PASS: TestHostDevicesDeviceFromPathFailure (0.00s)
    === RUN   TestHostDevicesDeviceFromPathFailureInUserNS
    --- PASS: TestHostDevicesDeviceFromPathFailureInUserNS (0.00s)
    === RUN   TestHostDevicesAllValid
    --- PASS: TestHostDevicesAllValid (0.00s)
    PASS
    ok  	github.com/containerd/containerd/oci	0.006s

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

2021-12-10 12:16:59 +01:00

2 Commits